Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4991fddc authored by Sean Thomas's avatar Sean Thomas
Browse files

Unlocked devices should have nonnormal DICE chains 

Adds a test that checks two system properties for an indication that the
device is unlocked. If the DICE chain is not degenerate, then the test
checks that the mode on the leaf certificate in the DICE chain is not
normal.

Test: atest VtsHalRemotelyProvisionedComponentTargetTest
      atest libkeymint_remote_prov_support_test
Bug: 377829077
Change-Id: I65a9845f32d673833ccd2993d59f9ed899d2da11
parent e71d95f7

security/keymint/support/include/remote_prov/remote_prov_utils.h

+4 −0
Original line number Diff line number Diff line
@@ -227,6 +227,10 @@ ErrMsgOr<bool> compareRootPublicKeysInDiceChains(const std::vector<uint8_t>& csr 
 */

ErrMsgOr<bool> verifyComponentNameInKeyMintDiceChain(const std::vector<uint8_t>& csr);



/** Checks whether the DICE chain in the CSR has a certificate with a non-normal mode. */

ErrMsgOr<bool> hasNonNormalModeInDiceChain(const std::vector<uint8_t>& csr,

                                           std::string_view instanceName);



/** Verify the DICE chain. */

ErrMsgOr<std::vector<BccEntryData>> validateBcc(const cppbor::Array* bcc,

                                                hwtrust::DiceChain::Kind kind, bool allowAnyMode,

security/keymint/support/remote_prov_utils.cpp

+26 −0
Original line number Diff line number Diff line
@@ -970,4 +970,30 @@ ErrMsgOr<bool> verifyComponentNameInKeyMintDiceChain(const std::vector<uint8_t>& 
    return *satisfied;

}



ErrMsgOr<bool> hasNonNormalModeInDiceChain(const std::vector<uint8_t>& encodedCsr,

                                           std::string_view instanceName) {

    auto diceChainKind = getDiceChainKind();

    if (!diceChainKind) {

        return diceChainKind.message();

    }



    auto csr = hwtrust::Csr::validate(encodedCsr, *diceChainKind, false /*isFactory*/,

                                      true /*allowAnyMode*/, deviceSuffix(instanceName));

    if (!csr.ok()) {

        return csr.error().message();

    }



    auto diceChain = csr->getDiceChain();

    if (!diceChain.ok()) {

        return diceChain.error().message();

    }



    auto hasNonNormalModeInDiceChain = diceChain->hasNonNormalMode();

    if (!hasNonNormalModeInDiceChain.ok()) {

        return hasNonNormalModeInDiceChain.error().message();

    }



    return *hasNonNormalModeInDiceChain;

}



}  // namespace aidl::android::hardware::security::keymint::remote_prov

security/keymint/support/remote_prov_utils_test.cpp

+86 −0
Original line number Diff line number Diff line
@@ -484,6 +484,81 @@ inline const std::vector<uint8_t> kCsrWithKeyMintInComponentName{ 
        0x30, 0x35, 0x2e, 0x34, 0x32, 0x3a, 0x75, 0x73, 0x65, 0x72, 0x2f, 0x72, 0x65, 0x6c, 0x65,

        0x61, 0x73, 0x65, 0x2d, 0x6b, 0x65, 0x79, 0x73};



inline std::vector<uint8_t> kCsrWithDebugMode{

        0x85, 0x01, 0xa0, 0x82, 0xa5, 0x01, 0x02, 0x03, 0x26, 0x20, 0x01, 0x21, 0x58, 0x20, 0x03,

        0x09, 0xad, 0x0d, 0x07, 0xec, 0x59, 0xfc, 0x14, 0x31, 0x21, 0x1f, 0xbc, 0x8e, 0x44, 0xe7,

        0x0f, 0xa9, 0xb7, 0x5a, 0x57, 0x38, 0x5f, 0x76, 0x8a, 0xa3, 0x38, 0x2c, 0xf0, 0x1b, 0x37,

        0x15, 0x22, 0x58, 0x20, 0x82, 0xae, 0x09, 0x76, 0x9c, 0x1d, 0x18, 0x39, 0x5d, 0x09, 0xf8,

        0x19, 0x86, 0x70, 0x60, 0x12, 0x1e, 0x06, 0xb3, 0x68, 0x4a, 0x27, 0x2c, 0x79, 0xd3, 0x83,

        0xb8, 0x54, 0x5b, 0x9f, 0xc0, 0x9f, 0x84, 0x43, 0xa1, 0x01, 0x26, 0xa0, 0x59, 0x01, 0x04,

        0xa9, 0x01, 0x66, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x02, 0x67, 0x73, 0x75, 0x62, 0x6a,

        0x65, 0x63, 0x74, 0x3a, 0x00, 0x47, 0x44, 0x50, 0x58, 0x20, 0x55, 0x55, 0x55, 0x55, 0x55,

        0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55,

        0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x3a, 0x00, 0x47,

        0x44, 0x52, 0x58, 0x20, 0xb8, 0x96, 0x54, 0xe2, 0x2c, 0xa4, 0xd2, 0x4a, 0x9c, 0x0e, 0x45,

        0x11, 0xc8, 0xf2, 0x63, 0xf0, 0x66, 0x0d, 0x2e, 0x20, 0x48, 0x96, 0x90, 0x14, 0xf4, 0x54,

        0x63, 0xc4, 0xf4, 0x39, 0x30, 0x38, 0x3a, 0x00, 0x47, 0x44, 0x53, 0x55, 0xa1, 0x3a, 0x00,

        0x01, 0x11, 0x71, 0x6e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x5f, 0x6e,

        0x61, 0x6d, 0x65, 0x3a, 0x00, 0x47, 0x44, 0x54, 0x58, 0x20, 0x55, 0x55, 0x55, 0x55, 0x55,

        0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55,

        0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x3a, 0x00, 0x47,

        0x44, 0x56, 0x41, 0x02, 0x3a, 0x00, 0x47, 0x44, 0x57, 0x58, 0x4d, 0xa5, 0x01, 0x02, 0x03,

        0x26, 0x20, 0x01, 0x21, 0x58, 0x20, 0x5f, 0xcf, 0x63, 0xcc, 0x24, 0x16, 0x66, 0x11, 0x6c,

        0xaf, 0xed, 0xf4, 0x02, 0x8f, 0xc9, 0x14, 0xc7, 0x32, 0xa5, 0xdb, 0x41, 0x53, 0x54, 0x34,

        0xcf, 0xcd, 0x6b, 0x4c, 0xb2, 0x22, 0x89, 0x96, 0x22, 0x58, 0x20, 0x4c, 0xed, 0xe3, 0x92,

        0x94, 0x8f, 0x04, 0xd6, 0x04, 0x3a, 0x6c, 0x15, 0x5f, 0xbb, 0x52, 0x4a, 0x7d, 0x94, 0xcf,

        0x31, 0x49, 0x31, 0x28, 0x66, 0x38, 0xe2, 0x40, 0x3e, 0xd0, 0xc1, 0x2b, 0xf4, 0x3a, 0x00,

        0x47, 0x44, 0x58, 0x41, 0x20, 0x58, 0x40, 0xb6, 0x0b, 0xa7, 0x9c, 0x02, 0x6d, 0x64, 0x98,

        0x9d, 0x73, 0x1b, 0x74, 0x21, 0x32, 0xf6, 0xb6, 0x1e, 0x6d, 0x07, 0x56, 0x0f, 0x5f, 0x14,

        0x60, 0xf9, 0x68, 0xb5, 0xee, 0xa5, 0xf9, 0x9b, 0xa9, 0x88, 0x4c, 0x55, 0x75, 0x26, 0xa7,

        0x84, 0xee, 0x07, 0x8a, 0xdc, 0xeb, 0x6d, 0xfe, 0x53, 0xe4, 0x38, 0xa8, 0x11, 0x1f, 0x57,

        0xbe, 0x77, 0x51, 0xc7, 0xbe, 0x4b, 0xd5, 0x2f, 0x9c, 0x2a, 0xcd, 0x84, 0x43, 0xa1, 0x01,

        0x26, 0xa0, 0x59, 0x02, 0x0f, 0x82, 0x58, 0x20, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,

        0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16,

        0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x59, 0x01, 0xe9, 0x84, 0x03,

        0x67, 0x6b, 0x65, 0x79, 0x6d, 0x69, 0x6e, 0x74, 0xae, 0x65, 0x62, 0x72, 0x61, 0x6e, 0x64,

        0x66, 0x47, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x65, 0x66, 0x75, 0x73, 0x65, 0x64, 0x01, 0x65,

        0x6d, 0x6f, 0x64, 0x65, 0x6c, 0x65, 0x6d, 0x6f, 0x64, 0x65, 0x6c, 0x66, 0x64, 0x65, 0x76,

        0x69, 0x63, 0x65, 0x66, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x67, 0x70, 0x72, 0x6f, 0x64,

        0x75, 0x63, 0x74, 0x65, 0x70, 0x69, 0x78, 0x65, 0x6c, 0x68, 0x76, 0x62, 0x5f, 0x73, 0x74,

        0x61, 0x74, 0x65, 0x65, 0x67, 0x72, 0x65, 0x65, 0x6e, 0x6a, 0x6f, 0x73, 0x5f, 0x76, 0x65,

        0x72, 0x73, 0x69, 0x6f, 0x6e, 0x62, 0x31, 0x32, 0x6c, 0x6d, 0x61, 0x6e, 0x75, 0x66, 0x61,

        0x63, 0x74, 0x75, 0x72, 0x65, 0x72, 0x66, 0x47, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x6d, 0x76,

        0x62, 0x6d, 0x65, 0x74, 0x61, 0x5f, 0x64, 0x69, 0x67, 0x65, 0x73, 0x74, 0x4f, 0x11, 0x22,

        0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 0x6e, 0x73,

        0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x5f, 0x6c, 0x65, 0x76, 0x65, 0x6c, 0x63, 0x74,

        0x65, 0x65, 0x70, 0x62, 0x6f, 0x6f, 0x74, 0x5f, 0x70, 0x61, 0x74, 0x63, 0x68, 0x5f, 0x6c,

        0x65, 0x76, 0x65, 0x6c, 0x1a, 0x01, 0x34, 0x8c, 0x62, 0x70, 0x62, 0x6f, 0x6f, 0x74, 0x6c,

        0x6f, 0x61, 0x64, 0x65, 0x72, 0x5f, 0x73, 0x74, 0x61, 0x74, 0x65, 0x66, 0x6c, 0x6f, 0x63,

        0x6b, 0x65, 0x64, 0x72, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x5f, 0x70, 0x61, 0x74, 0x63,

        0x68, 0x5f, 0x6c, 0x65, 0x76, 0x65, 0x6c, 0x1a, 0x01, 0x34, 0x8c, 0x61, 0x72, 0x76, 0x65,

        0x6e, 0x64, 0x6f, 0x72, 0x5f, 0x70, 0x61, 0x74, 0x63, 0x68, 0x5f, 0x6c, 0x65, 0x76, 0x65,

        0x6c, 0x1a, 0x01, 0x34, 0x8c, 0x63, 0x82, 0xa6, 0x01, 0x02, 0x03, 0x26, 0x20, 0x01, 0x21,

        0x58, 0x20, 0x78, 0xa9, 0x66, 0xc0, 0xc1, 0x92, 0xc9, 0x0d, 0x74, 0xbf, 0x81, 0x99, 0xe6,

        0x7c, 0x61, 0xb2, 0xc3, 0x41, 0x27, 0x4e, 0x92, 0xd8, 0xd8, 0xf8, 0x34, 0x43, 0x81, 0xe1,

        0x9c, 0x5f, 0xed, 0xbb, 0x22, 0x58, 0x20, 0x80, 0x05, 0x96, 0xe5, 0x65, 0x7e, 0xa8, 0x5b,

        0x58, 0xf7, 0x2c, 0xb8, 0x28, 0x95, 0x34, 0x7a, 0x88, 0xd5, 0xe2, 0x1c, 0x20, 0x01, 0xd7,

        0x60, 0xfe, 0xec, 0xf1, 0x3f, 0x69, 0xfc, 0xc0, 0xa4, 0x23, 0x58, 0x21, 0x00, 0x99, 0xad,

        0x34, 0x13, 0xf0, 0x7f, 0xaa, 0xf7, 0xda, 0xe9, 0x95, 0xfe, 0x2a, 0x36, 0xf5, 0xac, 0xbb,

        0xad, 0x39, 0x8f, 0x3f, 0x86, 0x10, 0x39, 0x2c, 0xa9, 0x4c, 0xb9, 0xbb, 0x79, 0x10, 0x45,

        0xa6, 0x01, 0x02, 0x03, 0x26, 0x20, 0x01, 0x21, 0x58, 0x20, 0xd2, 0x94, 0xcb, 0x74, 0x5f,

        0x9c, 0xc2, 0x1e, 0x47, 0x28, 0x69, 0x85, 0x6e, 0xf2, 0x34, 0x0a, 0x62, 0x90, 0xc3, 0xb0,

        0xc9, 0x3a, 0xb2, 0x32, 0xdc, 0x99, 0x19, 0x9b, 0x36, 0xde, 0x78, 0xed, 0x22, 0x58, 0x20,

        0xd9, 0x81, 0x04, 0x83, 0xbb, 0x85, 0x3e, 0x3b, 0x46, 0xe8, 0xe1, 0xa3, 0x8a, 0x04, 0xb9,

        0x3f, 0x74, 0x4e, 0x5c, 0x96, 0x21, 0x5c, 0x79, 0x0b, 0x8e, 0x4e, 0x7d, 0x61, 0x1b, 0x69,

        0xb2, 0x46, 0x23, 0x58, 0x20, 0x2f, 0x79, 0xf7, 0xbb, 0xbb, 0x7e, 0xee, 0x15, 0x61, 0xa2,

        0x78, 0x5f, 0x9c, 0x8c, 0xaf, 0x52, 0xcb, 0xbe, 0x24, 0x31, 0xa8, 0x95, 0x86, 0x8d, 0xed,

        0x98, 0x80, 0x71, 0x53, 0x91, 0xb3, 0x87, 0x58, 0x40, 0x19, 0xc9, 0xc4, 0x4e, 0x8b, 0xae,

        0x26, 0x7f, 0xdd, 0x9c, 0xac, 0xe2, 0xbf, 0xe2, 0xfb, 0x3c, 0x3f, 0xd6, 0x6f, 0x9a, 0x97,

        0xc3, 0x2a, 0x60, 0xfe, 0x0e, 0x9f, 0x11, 0xc9, 0x04, 0xa7, 0xdf, 0xe1, 0x21, 0x1e, 0xc1,

        0x10, 0x10, 0x64, 0xf7, 0xeb, 0xcc, 0x3a, 0x4c, 0xa6, 0xdf, 0xd8, 0xf5, 0xcc, 0x0d, 0x34,

        0xa4, 0x32, 0xf4, 0x0a, 0xd7, 0x83, 0x1e, 0x30, 0x0d, 0x68, 0x6a, 0xb4, 0xc1, 0xa1, 0x6b,

        0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x78, 0x3b, 0x62, 0x72,

        0x61, 0x6e, 0x64, 0x31, 0x2f, 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x31, 0x2f, 0x64,

        0x65, 0x76, 0x69, 0x63, 0x65, 0x31, 0x3a, 0x31, 0x31, 0x2f, 0x69, 0x64, 0x2f, 0x32, 0x30,

        0x32, 0x31, 0x30, 0x38, 0x30, 0x35, 0x2e, 0x34, 0x32, 0x3a, 0x75, 0x73, 0x65, 0x72, 0x2f,

        0x72, 0x65, 0x6c, 0x65, 0x61, 0x73, 0x65, 0x2d, 0x6b, 0x65, 0x79, 0x73};



inline const std::vector<uint8_t> kCsrWithSharedUdsRoot1{

        0x85, 0x01, 0xa0, 0x82, 0xa5, 0x01, 0x02, 0x03, 0x26, 0x20, 0x01, 0x21, 0x58, 0x20, 0x96,

        0xf9, 0xf7, 0x16, 0xa7, 0xe2, 0x20, 0xe3, 0x6e, 0x19, 0x8e, 0xc0, 0xc4, 0x82, 0xc5, 0xca,
@@ -1016,6 +1091,17 @@ TEST(RemoteProvUtilsTest, componentNameInLeafCertificateOfDiceChainContainsKeyMi 
    ASSERT_FALSE(*result2) << "Leaf Certificate in CSR contains 'keymint' in component name";

}



TEST(RemoteProvUtilsTest, checkModeOnCertificatesInDiceChain) {

    auto hasNonNormalMode = hasNonNormalModeInDiceChain(kCsrWithDebugMode, DEFAULT_INSTANCE_NAME);

    ASSERT_TRUE(hasNonNormalMode) << hasNonNormalMode.message();

    ASSERT_TRUE(*hasNonNormalMode);



    auto hasNonNormalModeInDiceChain2 =

            hasNonNormalModeInDiceChain(kCsrWithUdsCerts, DEFAULT_INSTANCE_NAME);

    ASSERT_TRUE(hasNonNormalModeInDiceChain2) << hasNonNormalModeInDiceChain2.message();

    ASSERT_FALSE(*hasNonNormalModeInDiceChain2);

}



TEST(RemoteProvUtilsTest, parseFullyQualifiedInstanceNames) {

    ASSERT_EQ(deviceSuffix(RKPVM_INSTANCE_NAME), "avf");

    ASSERT_EQ(deviceSuffix(DEFAULT_INSTANCE_NAME), "default");

security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp

+31 −0
Original line number Diff line number Diff line
@@ -848,6 +848,37 @@ class CertificateRequestV2Test : public CertificateRequestTestBase { 
    }

};



/**

 * Check that ro.boot.vbmeta.device_state is not "locked" or ro.boot.verifiedbootstate

 * is not "green" if and only if the mode on at least one certificate in the DICE chain

 * is non-normal.

 */

TEST_P(CertificateRequestV2Test, unlockedBootloaderStatesImpliesNonnormalDiceChain) {

    auto challenge = randomBytes(MAX_CHALLENGE_SIZE);

    bytevec csr;

    auto status =

            provisionable_->generateCertificateRequestV2({} /* keysToSign */, challenge, &csr);

    ASSERT_TRUE(status.isOk()) << status.getDescription();



    auto isProper = isCsrWithProperDiceChain(csr, GetParam());

    ASSERT_TRUE(isProper) << isProper.message();

    if (!*isProper) {

        GTEST_SKIP() << "Skipping test: Only a proper DICE chain has a mode set.";

    }



    auto nonNormalMode = hasNonNormalModeInDiceChain(csr, GetParam());

    ASSERT_TRUE(nonNormalMode) << nonNormalMode.message();



    auto deviceState = ::android::base::GetProperty("ro.boot.vbmeta.device_state", "");

    auto verifiedBootState = ::android::base::GetProperty("ro.boot.verifiedbootstate", "");



    ASSERT_EQ(deviceState != "locked" || verifiedBootState != "green", *nonNormalMode)

            << "ro.boot.vbmeta.device_state = '" << deviceState

            << "' and ro.boot.verifiedbootstate = '" << verifiedBootState << "', but it is "

            << *nonNormalMode

            << " that the DICE chain has a certificate with a non-normal mode set.";

}



/**

 * Generate an empty certificate request with all possible length of challenge, and decrypt and

 * verify the structure and content.